The Year of the Breach

As the year is coming to a close, news headlines were dominated by reports of high-profile security attacks, some launched by “hacktivists” such as Anonymous and LULZSEC.

But something  larger was brewing. Amidst hacktivists’ attacks on Sony, HBGary and NATO, highly sophisticated, clandestine attackers—the kind with the rarefied expertise, deep pockets and specialized resources typically only seen in nation-state adversaries—were actively infiltrating a broad range of targets.

These attacks were different: they were patient, stealthy and leveraged a potent combination of technical skill and social savvy.  Some used clever social engineering to get a foothold into their target organizations, while others used zero-day vulnerabilities—previously unknown holes in software—to penetrate defenses. 

While advanced attacks have happened for years, IT security experts observed recent attacks had grown bolder and more frequent. Recent attacks were also highly targeted, customized, well-researched and, in many cases, employed both technical and social
components.

The term used to describe such complex, sophisticated attacks was
“advanced persistent threats” (APTs), but as IT security experts quickly pointed out, APTs were only as advanced as they needed to be to get the job done. A concrete definition is elusive and, as cautioned, “Defining it could limit us and lead us to be blindsided. We need to constantly revisit the characteristics because they’re always changing.”

Much of the day’s focus was on the techniques of highly organized attackers. such
advanced threats, which include APTs, span from corporate espionage to hacktivism.

This article distills certain key insights from those discussions and
aspires to advance the industry’s dialog on advanced threats, spur disruptive innovation and disseminate some of our learnings from some of the most seasoned professionals in information security.

From a Cookie-Cutter Approach to Adaptive

In 2000, the I LOVE YOU worm crippled more than 50 million Pcs. The delivery mechanism was simple but effective: an e-mail showed up in your in-box with a subject line of “iloveyou.” When people clicked on the e-mail’s attachment, titled “love-leTTer-Foryou,” they were infected with a computer worm. while the damage was significant, a
partial solution to this problem came in the form of antivirus software: a signature could be deployed to antivirus agents that would identify the file as malicious and arrest its actions.                                                                          
Today, generic malware is still profuse but signature-based defenses, at either the network or host layer, can greatly decrease the odds of infection. What makes recent
advanced threats different is their defiance of a signature. In the world of advanced threats, malware evolves quickly, and security experts have  described several cases of special-purpose malware custom-developed specifically for their targets. Some were
compiled within hours of launching the attack.

It became clear that enterprises targeted by highly organized attackers cannot depend on signature-based “bread and butter” security tools as a sole means of defence. While the payloads of some advanced threats were fairly standard, entry strategies were often custom tailored.

Attackers typically used social networking sites to gather intelligence and identify specific users within an organization. Some of the main infection vectors that cited were  e-mail, Skype and instant messages with malware payloads in the form of PDFs, compressed HTML, script files, executables and attachments.
customization of attack techniques extend through data exfiltration.

Advanced threats often use sophisticated methods for compressing, encrypting and transmitting data to other compromised organizations, leaving little evidence of the origin of the attack or the destination for stolen information. This move from generic to tailored, from cookie-cutter to adaptive, means that security organizations need to think beyond signatures and re-evaluate how effective their current defenses are.

Remember that people, not technology, were the Achilles heel in most defensive strategies.

People are the Weakest Link 
“People are the weakest link” is perhaps the biggest cliché in information security. Security experts have long understood that users make bad choices, click on links they shouldn’t and install malware through simple ruses.

Corporate IT departments deploy multiple controls to help deal with this threat: e-mail filtering solutions catch many attacks before they make it to users, malicious links are blocked by the network, network scanners look for malicious content, and host-based antivirus (the last line of defense) tries to stop what slips through the cracks.

This process works well for generic, shotgun attacks in that signatures can be updated quickly to immunize users. Advanced attackers, however, are now creating highly credible scenarios in which they convince users to click on dialog boxes warning of fake software updates, retrieve content from quarantined areas and act (unknowingly) on behalf of the attacker.

Attackers have become dangerously adroit at using our weaknesses and behaviors against us. Attackers are creatively leveraging people inside the company to help accomplish their goals. “Internet scams are supposed to be sloppy, but they work.”

Advanced threats defy that stereotype. Experts put a fine  point on it: “The perimeter is not a firewall; it’s our users. They don’t treat their computer as an adversary; they treat it as a tool—an extension of themselves—so they don’t question what it tells them.”

Addressing the people problem will take more than technology. Organizations need to
drive a sense of personal responsibility for security among employees.

Attackers Aim for Advantage, Not Infamy

Advanced attacks are typically not the product of hobbyists. These attacks often require months of planning, mapping out internal networks by looking at the fringes.

The reconnaissance can go much further: targeting key employees, deconstructing their life by scouring social media, custom-crafting an attack so that it is stealthy, patient, and very effective.

Cybercriminals, the ones who look to steal credit card numbers and other
commoditized and sellable data, have become increasingly sophisticated but advanced
attacks are different. Increasingly, they focus on espionage—stealing specialized data
that may be of high value and strategic importance to the commissioning entity, which
can be foreign governments, rival corporations and organized crime groups. The entities behind advanced attacks literally mean business.

Also, entities perpetrating many advanced attacks are substantively different from the
hacktivists groups that have attracted attention in recent times. Hacktivists want to
embarrass and expose their targets’ activities, taking pride in publishing their conquests.

Many advanced attackers, in contrast, have the goal of stealth. They do not want to be
discovered or seek publicity.

Now some advanced threats are now masquerading as hacktivist attacks, with the goal being to confuse forensics and place blame on groups that are often eager to accept it. This pattern makes it difficult to size the scale of advanced threats: a willing scapegoat makes post-incident attribution particularly problematic.

The New Normal: Act as Though You Are Already Hacked  

The events of the year have shown that determined adversaries can always find exploits through people and in complex IT environments. It’s not realistic to keep
adversaries out. Organizations should plan and act as though they have already been breached.

Three foundational principles of security are compartmentalization, defense in depth and least privilege. in combination, these three tenets dictate that if one system (or person) is compromised, it should not result in a compromise of the entire system.

While simple in concept, these tenets have proven complicated to implement in practice. Organizations have long relied on the notion of a “perimeter,” where a big thick wall—in the form of firewalls and gateway defenses—guards the organization, with good guys (insiders) on one side of the wall and attackers on the other.

Security perimeters are now considered a construct of the past. Boundaries are nearly
impossible to define in modern organizations. The inclusion of partially trusted users
such as customers, suppliers, contractors, service providers, cloud vendors and others
have made organization boundaries very porous. Beyond the eradication of traditional
organizational boundaries, the consumerization of IT has brought a rash of unmanaged
devices into the enterprise and exposed the organization to services (and suppliers) that are opaque.

IT consumerization has also blurred the line between the business lives and
the personal lives of employees. We have moved from the illusion of a perimeter-driven defense to living in a state of compromise.

Accepting that some systems, some people, and some services may already be under the control of attackers changes information security strategy. it forces a return to the core principles of compartmentalization, defense-in-depth, and least privilege.

Organizations need to focus on closing the exposure window and limiting damage through efforts to compartmentalize systems, stop sensitive data egress and contain malfeasance. This new model also demands that we rethink old habits of sharing sensitive corporate information—such as source code, product plans and strategic roadmaps—using collaborative processes that presume perimeter defenses can keep attackers out.

Security improves through greater situational awareness: gaining the ability to
understand what’s happening beyond our network boundaries to detect threats on the horizon. Organizations get smarter by looking beyond their infrastructure and observing  the ecosystem. The ecosystem approach to security relies on organizations actively sharing information with other organizations about threats. It also demands greater visibility into the security of suppliers and service providers within one’s supply chain.

The key is to know what digital assets are important to protect, where they reside, who
has access to them and how to lock them down in the event of a breach. This ability to
tighten the net before and during an attack is key, and it requires a mature process for
incident handling. Incident response should not be considered exclusively a security
function. Instead, it is an organizational competency that must be developed and
continually honed well before an attack occurs. if organizations are planning responses
as an attack unfolds, they are too late. A competency approach allows remediation
activities to kick in automatically—like a reflex.

The Road Ahead

The reality of advanced threats demands a disruptive approach to defense—one where
enterprises can be agile and thrive in a contested environment. This approach must be
applied holistically: approaching advanced threat defense not as a discrete function but
as a natural consequence of robust but agile security.

Many of the holes that exist today come from an unmanageably complex iT infrastructure. Given that information security is a “weakest link” problem, only through understanding our assets, processes and endpoints do we have a chance at effective defense. Unraveling complexity and fielding a successful defense means that we also need to think creatively about the range of attacker motivations, which can extend far beyond data theft.

With every new technology, we have the ability to weave security into its fabric, to begin anew. We are at the start of an industry-wide move to cloud-based services and systems. We stand on the precipice of a sea-change in technology. There is a new mantra that goes within the industry saying “If we can’t get it right with cloud, shame on us.”

Today more than ever, security is an ecosystem problem in which every constituent has a responsibility. Attackers are collaborating, sharing information, going after the supply chain, co-opting careless insiders and evading our long relied-upon defenses. we need disruptive collaboration and innovation in defense. Through collaboration, information sharing and increasing our agility, we can successfully fend off APTs and other advanced threats.

Happy Holidays! And a blessed new year to all!

 

Advertisements

Social Networking and Balancing It To Network Security Objectives

With the explosion of social networking, interaction and  collaboration, email has lost its position as the primary Internet-based
communication tool. In fact, in a related literature that I’ve recently read, it reported that there were more social networking accounts than Webmail accounts in 2009.

Today, users rely more on blogs, tweets, social networking posts and  even video clip communications to enrich both personal and professional information exchange. Even businesses are leveraging social networking to communicate with customers, employees and partners.

While these sites and services offer tremendous business benefits, they also present serious risks that have to be managed. For instance,they are often the target of malicious attacks due to their popularity. Video sites like YouTube consume tremendous amounts of bandwidth if they are not properly managed on the corporate network. And employees may intentionally or accidentally leak sensitive company data onto a social networking site, breaches that can result in lost competitive information, public relations headaches, fines, legal action and more.

The good news is, with the right security approach, these consequences can be successfully avoided.

In addition to addressing technology gaps, you also have to educate users  about social networking security problems that stem from simple human error. And while the end user will likely remain the number one security risk for any organization, dramatic results can be achieved with just general security training.

Education should begin with the basics, but can be placed in the context of social networking to make them fresh and interesting.
For example, good login and password practices are a common problem within social networking. Routinely changing login credentials and protecting the confidentiality of passwords are basic security requirements – or should be. While this may sound like common sense, there was this recent fiasco may have been caused by one scientist who actually included his password in his email signature. So even highly educated users need to be reminded about basic security measures. Cybercriminals also know that many users use the same login ID and password on multiple sites, which enables attackers to easily gain access to social networking accounts. In one instance, many Twitter accounts were hacked when users were tricked into creating an account on a fake torrent site.

Other examples that are much less dramatic, but occur much more frequently, take place when users try to share something to a select group in an appropriate way, but do not realize that the way they shared it made it available to a broader group. Some applications may be popular enough to reasonably provide in-depth application training for users. A great example of an easily avoidable issue
recently occurred when over 100 million Facebook pages were compromised simply because most users did not understand some of the security settings available.

It may be worthwhile to start surveying users to identify their needs, applications of choice and perhaps even their own list of concerns. Then prepare a plan to ensure users are aware of how to use those applications safely.

Also, users need to be reminded that there are no safe zones on the web – including social networking sites. Assume that everything revealed on a social networking site will be visible on the Internet forever. Once it has been searched, indexed and cached, it may later turn up online no matter what steps are taken to delete it.

Finally, most users are no different than IT – no one reads the manual. So many users won’t really understand security guidelines until they violate them once or twice. “Coaching screens” are informational pop-ups or browser redirects that would appear at the instant a violation occurs to inform the user they have violated a policy, someone else knows about it, and explains how to prevent it from happening again. From a product standpoint, IT should look for solutions that not only provide security, but can also support education efforts.

Conclusion
Social networking has achieved a level of popularity that requires reasonable access at work, but it is also sufficiently mature to bring value to many businesses. But safe social networking requires an aggressive and layered security strategy at the web gateway, as well as the definition of new usage policies and priorities from management and IT. Better end-user education will also be required to ensure workers use social networking applications safely and appropriately.

The combination of layered security and education can help organizations dramatically reduce the risks from malware, phishing, data loss and bandwidth abuse.

Why is all this necessary? Cybercriminals are taking advantage of social networking’s fundamental model of familiarity, trust, sharing and open communications  to dupe users and steal valuable data.”

To close these security gaps, IT and business leaders must ensure they have the right security strategies   in place to identify and protect against the rapid evolution of social networking threats.

Firesheep

I was going through some websites last night when a word caught my attention…. It was FIRESHEEP. Intrigued, i decided to make some research.

Firesheep, as it turns out is a new Mozilla Firefox extension (obviously, anyone can have this as long as that person is using Firefox), that lets ordinary users hack into Facebook and Twitter accounts easily. Now the social network developers and owners  have something to look into, and people who login to these social networking sites over open and unsecured WiFi networks should avoid logging in, at least for now.

Firesheep adds a sidebar to Mozilla’s Firefox browser that shows when anyone on an open network — such as a coffee shop’s Wi-Fi network — visits an insecure site.

Based on the information that I have acquired, Firesheep was developed to demonstrate the need for a secure web. In other words, it meant to test the vulnerability of websites to hacker attacks, with the help of open and unsecured networks. And, think about this, they are not professional hackers, they could be anyone who has Firesheep installed in Firefox. It could be your friend or foe or anybody who just want to make fun out of it, or worse, cyber criminals who will steal your personal information resulting to identity theft.

It’s that easy. Wow! Now anyone can log in on Facebook and Twitter among other social networks.

That is scary and dangerous, isn’t it? And oh, I forgot. It only works on non secured sites or in technical lingo, non HTTPS sites and on Wi-FI (if you are within the same IP network and subnet), which, is being used by all of the social networking sites today. Although I have made some special mention on the social networking sites here, other non-https site may also be affected like Amazon, Flickr, etc. Webmails using https are not affected. So better check your webmails now if they support the secure http protocol and better make adjustments.

Are Social Networking Sites Harmful?

Recently, we have been bombarded by information on the pros and cons of social networking sites. While we in the IT industry may think it could just be a trend, but it is really fast catching up. Even mobile phones have promos where you can avail of browsing social networking sites at a fixed cost per day, the usage of these sites may have such pros and cons.

It may be fun, but if we look at it at another prospective, it is a breeding ground for nasties in the web. A lot of surveys and statistics have come out lately detailing how much of a risk social media presents, most especially to employers. It has become the delivery method of choice for bot masters and malware fiends; it is rapidly becoming the medium du jour for scam artists; and it presents an ever present and growing risk of accidental disclosures.

If you’re using Facebook, Twitter, LinkedIn, or any one of the other 3,247 social networks on the job, you may be putting both your employer and yourself in harms way.

Let’s look at some of the numbers.

  • Social media users are 10x more likely to fall for a malware scam by clicking an unsafe link than email users. Around 10% of nasty sites end up being clicked, vs. 1% of email nasties. The reason? People are more trusting on social sites than anywhere else. Or, it could be the fact that people are now educated on handling e-mail links.
  • 20% of organizations has suffered a leak of sensitive, confidential or private information via social network sites.
  • 33% of SMEs have malware infestation coming from a social network site. 1/3 of these figures costs around Php 250,000 or more to clean up.
  • Nearly 90% of the report say that they had their privacy violated.
  • 80% reported bandwidth wastage.

Roughly a third of SMBs ban social media use at work. Odds are, though, they just think they’re banning them. In fact, studies have shown that social media apps are now present in 90% of company networks. Not surprisingly, Facebook is the most popular app, but Twitter, MySpace, and LinkedIn are all above 80 percent.

If you’re an IT personnel who believes you’ve successfully booted social media apps from your company’s premises, better check again.

Of course, the sources for most of these stats are security companies whose goal is to sell you software. And of course, there are only four kinds of lies: lies, damned lies, statistics, and campaign promises. Still, these numbers ring true to me.

Should you stop using social media altogether? No. But you and your company need to be smarter about what you say and do on Facebook, Twitter, LinkedIn, et al.  Because the bad guys are watching, and they aren’t messing around.